Automated risk assessment based on machine generated investigation

US 10,326,676 B1
Filed: 01/08/2019
Issued: 06/18/2019
Est. Priority Date: 01/08/2019
Status: Active Grant

First Claim

Patent Images

1. A method for monitoring network traffic using on one or more network computers over one or more networks, wherein the execution of instructions by the one or more network computers perform the method comprising:

instantiating a monitoring engine to perform actions, including;

providing anomaly information that is associated with one or more anomalies that are associated with monitored network traffic; and

instantiating an inference engine that performs actions, including;

determining one or more users that are associated with the one or more anomalies associated with one or more portions of the monitored network traffic;

determining a communication channel that is associated with the one or more users based on the one or more anomalies and the one or more portions of the monitored network traffic, wherein the communication channel is separate from the monitored network traffic;

employing the communication channel to provide one or more investigative agents to the one or more users;

annotating the anomaly information to include one or more attributes based on one or more metrics that are associated with the one or more portions of the monitored network traffic that is associated with the one or more anomalies;

determining the one or more investigative agents based on the annotated anomaly information;

employing the annotated anomaly information to further determine the communication channel;

collecting investigative information from the one or more investigative agents over the communication channel; and

providing a risk value that is associated with the one or more anomalies based on the investigative information.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments are directed to monitoring network traffic using a network computer. The network computer provides anomaly information associated with anomalies that may be associated with monitored network traffic. An inference engine may determine the users associated with the anomalies based on the monitored network traffic. A communication channel associated with the users may be determined based on the anomalies and the monitored network traffic such that the communication channel may be separate from the monitored network traffic. The communication channel may be employed to provide investigative agents to the users. Investigative information may be collected from the investigative agents over the communication channel. The inference engine may provide a risk value that is associated with the anomalies based on the investigative information.

44 Citations

View as Search Results

24 Claims

1. A method for monitoring network traffic using on one or more network computers over one or more networks, wherein the execution of instructions by the one or more network computers perform the method comprising:
- instantiating a monitoring engine to perform actions, including;
  
  providing anomaly information that is associated with one or more anomalies that are associated with monitored network traffic; and
  
  instantiating an inference engine that performs actions, including;
  
  determining one or more users that are associated with the one or more anomalies associated with one or more portions of the monitored network traffic;
  
  determining a communication channel that is associated with the one or more users based on the one or more anomalies and the one or more portions of the monitored network traffic, wherein the communication channel is separate from the monitored network traffic;
  
  employing the communication channel to provide one or more investigative agents to the one or more users;
  
  annotating the anomaly information to include one or more attributes based on one or more metrics that are associated with the one or more portions of the monitored network traffic that is associated with the one or more anomalies;
  
  determining the one or more investigative agents based on the annotated anomaly information;
  
  employing the annotated anomaly information to further determine the communication channel;
  
  collecting investigative information from the one or more investigative agents over the communication channel; and
  
  providing a risk value that is associated with the one or more anomalies based on the investigative information.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein collecting the investigative information, further comprises, monitoring one or more interactions of the one or more users with the one or more investigative agents.
  - 3. The method of claim 1, further comprising employing one or more of an anomaly engine on the one or more network computers, one or more network monitoring computers, or one or more services that are separate from the one or more network computers to provide the anomaly information.
  - 4. The method of claim 1, wherein collecting the investigative information, further comprises:
    - employing the investigative agent to determine one or more target metrics that are associated with one or more of one or more target entities or the one or more users; and
      
      employing the investigative agent to provide the investigative information to the inference engine using the communication channel.
  - 5. The method of claim 1, wherein collecting the investigative information, further comprises:
    - employing the investigative agent to determine one or more target metrics that are associated with one or more interactions with the one or more users; and
      
      employing the investigative agent to provide the one or more target metrics to the inference engine using the communication channel.
  - 6. The method of claim 1, wherein the inference engine performs further actions, including, determining one or more remediation actions based on the investigative information, wherein the one or more remediation actions includes one or more of quarantining an endpoint, blocking network traffic, or locking a user account.

7. A system for monitoring network traffic in one or more networks:
- one or more network computers, comprising;
  
  a transceiver that communicates over the one or more networks;
  
  a memory that stores at least instructions; and
  
  one or more processors that execute instructions that perform actions, including;
  
  instantiating a monitoring engine to perform actions, including;
  
  providing anomaly information that is associated with one or more anomalies that are associated with monitored network traffic; and
  
  instantiating an inference engine that performs actions, including;
  
  determining one or more users that are associated with the one or more anomalies associated with one or more portions of the monitored network traffic;
  
  determining a communication channel that is associated with the one or more users based on the one or more anomalies and the one or more portions of the monitored network traffic, wherein the communication channel is separate from the monitored network traffic;
  
  employing the communication channel to provide one or more investigative agents to the one or more users;
  
  annotating the anomaly information to include one or more attributes based on one or more metrics that are associated with the one or more portions of the monitored network traffic that is associated with the one or more anomalies;
  
  determining the one or more investigative agents based on the annotated anomaly information;
  
  employing the annotated anomaly information to further determine the communication channel;
  
  collecting investigative information from the one or more investigative agents over the communication channel; and
  
  providing a risk value that is associated with the one or more anomalies based on the investigative information; and
  
  one or more client computers, comprising;
  
  a transceiver that communicates over the network;
  
  a memory that stores at least instructions; and
  
  one or more processors that execute instructions that perform actions, including;
  
  providing one or more of the one or more portions of the monitored network traffic.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The system of claim 7, wherein collecting the investigative information, further comprises, monitoring one or more interactions of the one or more users with the one or more investigative agents.
  - 9. The system of claim 7, further comprising employing one or more of an anomaly engine on the one or more network computers, one or more network monitoring computers, or one or more services that are separate from the one or more network computers to provide the anomaly information.
  - 10. The system of claim 7, wherein collecting the investigative information, further comprises:
    - employing the investigative agent to determine one or more target metrics that are associated with one or more of one or more target entities or the one or more users; and
      
      employing the investigative agent to provide the investigative information to the inference engine using the communication channel.
  - 11. The system of claim 7, wherein collecting the investigative information, further comprises:
    - employing the investigative agent to determine one or more target metrics that are associated with one or more interactions with the one or more users; and
      
      employing the investigative agent to provide the one or more target metrics to the inference engine using the communication channel.
  - 12. The system of claim 7, wherein the inference engine performs further actions, including, determining one or more remediation actions based on the investigative information, wherein the one or more remediation actions includes one or more of quarantining an endpoint, blocking network traffic, or locking a user account.

13. A network computer for monitoring network traffic over one or more networks between two or more computers, comprising:
- a transceiver that communicates over the network;
  
  a memory that stores at least instructions; and
  
  one or more processors that execute instructions that perform actions, including;
  
  instantiating a monitoring engine to perform actions, including;
  
  providing anomaly information that is associated with one or more anomalies that are associated with monitored network traffic; and
  
  instantiating an inference engine that performs actions, including;
  
  determining one or more users that are associated with the one or more anomalies associated with one or more portions of the monitored network traffic;
  
  determining a communication channel that is associated with the one or more users based on the one or more anomalies and the one or more portions of the monitored network traffic, wherein the communication channel is separate from the monitored network traffic;
  
  employing the communication channel to provide one or more investigative agents to the one or more users;
  
  annotating the anomaly information to include one or more attributes based on one or more metrics that are associated with the one or more portions of the monitored network traffic that is associated with the one or more anomalies;
  
  determining the one or more investigative agents based on the annotated anomaly information;
  
  employing the annotated anomaly information to further determine the communication channel;
  
  collecting investigative information from the one or more investigative agents over the communication channel; and
  
  providing a risk value that is associated with the one or more anomalies based on the investigative information.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The network computer of claim 13, wherein collecting the investigative information, further comprises, monitoring one or more interactions of the one or more users with the one or more investigative agents.
  - 15. The network computer of claim 13, further comprising employing one or more of an anomaly engine on the one or more network computers, one or more network monitoring computers, or one or more services that are separate from the one or more network computers to provide the anomaly information.
  - 16. The network computer of claim 13, wherein collecting the investigative information, further comprises:
    - employing the investigative agent to determine one or more target metrics that are associated with one or more of one or more target entities or the one or more users; and
      
      employing the investigative agent to provide the investigative information to the inference engine using the communication channel.
  - 17. The network computer of claim 13, wherein collecting the investigative information, further comprises:
    - employing the investigative agent to determine one or more target metrics that are associated with one or more interactions with the one or more users; and
      
      employing the investigative agent to provide the one or more target metrics to the inference engine using the communication channel.
  - 18. The network computer of claim 13, wherein the inference engine performs further actions, including, determining one or more remediation actions based on the investigative information, wherein the one or more remediation actions includes one or more of quarantining an endpoint, blocking network traffic, or locking a user account.

19. A processor readable non-transitory storage media that includes instructions for monitoring network traffic over one or more networks using one or more network monitoring computers, wherein execution of the instructions by the one or more network computers perform the method comprising:
- instantiating a monitoring engine to perform actions, including;
  
  providing anomaly information that is associated with one or more anomalies that are associated with monitored network traffic; and
  
  instantiating an inference engine that performs actions, including;
  
  determining one or more users that are associated with the one or more anomalies associated with one or more portions of the monitored network traffic;
  
  determining a communication channel that is associated with the one or more users based on the one or more anomalies and the one or more portions of the monitored network traffic, wherein the communication channel is separate from the monitored network traffic;
  
  employing the communication channel to provide one or more investigative agents to the one or more users;
  
  annotating the anomaly information to include one or more attributes based on one or more metrics that are associated with the one or more portions of the monitored network traffic that is associated with the one or more anomalies;
  
  determining the one or more investigative agents based on the annotated anomaly information;
  
  employing the annotated anomaly information to further determine the communication channel;
  
  collecting investigative information from the one or more investigative agents over the communication channel; and
  
  providing a risk value that is associated with the one or more anomalies based on the investigative information.
- View Dependent Claims (20, 21, 22, 23, 24)
- - 20. The media of claim 19, wherein collecting the investigative information, further comprises, monitoring one or more interactions of the one or more users with the one or more investigative agents.
  - 21. The media of claim 19, further comprising employing one or more of an anomaly engine on the one or more network computers, one or more network monitoring computers, or one or more services that are separate from the one or more network computers to provide the anomaly information.
  - 22. The media of claim 19, wherein collecting the investigative information, further comprises:
    - employing the investigative agent to determine one or more target metrics that are associated with one or more of one or more target entities or the one or more users; and
      
      employing the investigative agent to provide the investigative information to the inference engine using the communication channel.
  - 23. The media of claim 19, wherein collecting the investigative information, further comprises:
    - employing the investigative agent to determine one or more target metrics that are associated with one or more interactions with the one or more users; and
      
      employing the investigative agent to provide the one or more target metrics to the inference engine using the communication channel.
  - 24. The media of claim 19, wherein the inference engine performs further actions, including, determining one or more remediation actions based on the investigative information, wherein the one or more remediation actions includes one or more of quarantining an endpoint, blocking network traffic, or locking a user account.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ExtraHop Networks, Incorporated
Original Assignee
ExtraHop Networks, Incorporated
Inventors
Driggs, Edmund Hope, Rothstein, Jesse Abraham
Primary Examiner(s)
Jaroenchonwanit, Bunjob

Application Number

US16/243,001
Time in Patent Office

161 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 41/046   comprising network manageme...

H04L 41/0816   the condition being an adap...

H04L 41/142   using statistical or mathem...

H04L 43/062   related to network traffic

H04L 43/0876   Network utilisation, e.g. v...

H04L 43/12   Network monitoring probes

H04L 43/14   using software, i.e. softwa...

H04L 43/16   Threshold monitoring

H04L 63/14   for detecting or protecting...

H04L 63/1425   Traffic logging, e.g. anoma...

Automated risk assessment based on machine generated investigation

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

44 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Automated risk assessment based on machine generated investigation

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

44 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links